DMVPN Only One Spoke Connecting At A Time?

klombard · ‎03-19-2013

Recently started a project with upgrading our remote site routers and connecting them via a new router here using DMVPN. First site went up fine and has been working pretty well. Just recently started working on the next site and I'm having trouble getting it to connect.

HUB and Spoke 1 are working fine, can ping back and forth both on the WAN ip and the tunnel IP

HUB and Spoke 2 I can ping the WAN ips, but not tunnel ips.

On HUB, when I issue the sh dmvpn command, I see the connection to Spoke 1, but nothing for Spoke 2.

On Spoke 2, I see a connection to HUB, but the state is IKE, and as previously mentioned, I cannot ping the tunnel ip for the HUB.

I've re-checked and recreated all the crypto information on both sides and re-created the tunnel interfaces, just to make sure everything is matching.

What I did notice is that the HUB only seems to be allowing one spoke at a time. By accident, while rebotting the hub and spoke 2, I noticed that when it came back up the HUB had connected to spoke 2 now, but wasn't allow spoke 1 to connect.

I've removed all ACL's from the interfaces, so it shouldn't be an access problem.

Here's Tunnel config on HUB:

interface Tunnel0

description mGRE - DMVPN Tunnel

ip address 172.16.0.1 255.255.255.0

no ip redirects

ip mtu 1416

ip nhrp authentication firewall

ip nhrp map multicast dynamic

ip nhrp network-id 1

tunnel source 1.1.1.1

tunnel mode gre multipoint

tunnel protection ipsec profile protect-gre

!

Tunnel config on Spoke 1:

interface Tunnel0

description Spoke 1 mGRE - DMVPN Tunnel

ip address 172.16.0.2 255.255.255.0

no ip redirects

ip mtu 1416

ip nhrp authentication firewall

ip nhrp map multicast dynamic

ip nhrp map 172.16.0.1 1.1.1.1

ip nhrp map multicast 1.1.1.1

ip nhrp network-id 1

ip nhrp nhs 172.16.0.1

ip tcp adjust-mss 1376

tunnel source 2.2.2.2

tunnel mode gre multipoint

tunnel protection ipsec profile protect-gre

!

Tunnel config on Spoke 2:

interface Tunnel0

description Spoke 2 mGRE - DMVPN Tunnel

ip address 172.16.0.3 255.255.255.0

no ip redirects

ip mtu 1416

ip nhrp authentication firewall

ip nhrp map multicast dynamic

ip nhrp map 172.16.0.1 1.1.1.1

ip nhrp map multicast 1.1.1.1

ip nhrp network-id 1

ip nhrp nhs 172.16.0.1

ip tcp adjust-mss 1376

tunnel source 3.3.3.3

tunnel mode gre multipoint

tunnel protection ipsec profile protect-gre

!

Here's some of the isakmp debug from Spoke 2:

Mar 19 14:58:19.583: ISAKMP:(1017):purging SA., sa=28DE47B8, delme=28DE47B8

Mar 19 14:58:23.383: ISAKMP: set new node 0 to QM_IDLE

Mar 19 14:58:23.383: ISAKMP:(1018):SA is still budding. Attached new ipsec request to it. (local 3.3.3.3, remote 1.1.1.1)

Mar 19 14:58:23.383: ISAKMP: Error while processing SA request: Failed to initialize SA

Mar 19 14:58:23.383: ISAKMP: Error while processing KMI message 0, error 2.

Mar 19 14:58:25.019: ISAKMP:(1018): retransmitting phase 1 MM_KEY_EXCH...

Mar 19 14:58:25.019: ISAKMP (1018): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1

Mar 19 14:58:25.019: ISAKMP:(1018): retransmitting phase 1 MM_KEY_EXCH

Mar 19 14:58:25.019: ISAKMP:(1018): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH

Mar 19 14:58:25.019: ISAKMP:(1018):Sending an IKE IPv4 Packet.

Mar 19 14:58:25.039: ISAKMP (1018): received packet from 1.1.1.1 dport 500 sport 500 Global (I) MM_KEY_EXCH

Mar 19 14:58:25.039: ISAKMP:(1018): phase 1 packet is a duplicate of a previous packet.

Mar 19 14:58:25.039: ISAKMP:(1018): retransmission skipped for phase 1 (time since last transmission 20)

Mar 19 14:58:35.020: ISAKMP:(1018): retransmitting phase 1 MM_KEY_EXCH...

Mar 19 14:58:35.020: ISAKMP (1018): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1

Mar 19 14:58:35.020: ISAKMP:(1018): retransmitting phase 1 MM_KEY_EXCH

Mar 19 14:58:35.020: ISAKMP:(1018): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH

Mar 19 14:58:35.020: ISAKMP:(1018):Sending an IKE IPv4 Packet.

Mar 19 14:58:45.020: ISAKMP:(1018): retransmitting phase 1 MM_KEY_EXCH...

Mar 19 14:58:45.020: ISAKMP:(1018):peer does not do paranoid keepalives.

Mar 19 14:58:45.020: ISAKMP:(1018):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer 1.1.1.1)

Mar 19 14:58:45.020: ISAKMP: Unlocking peer struct 0x40B251B0 for isadb_mark_sa_deleted(), count 0

Mar 19 14:58:45.020: ISAKMP: Deleting peer node by peer_reap for 1.1.1.1: 40B251B0

Mar 19 14:58:45.020: ISAKMP:(1018):deleting node 161814660 error FALSE reason "IKE deleted"

Mar 19 14:58:45.020: ISAKMP:(1018):deleting node -1000666081 error FALSE reason "IKE deleted"

Mar 19 14:58:45.020: ISAKMP:(1018):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

Mar 19 14:58:45.020: ISAKMP:(1018):Old State = IKE_I_MM5 New State = IKE_DEST_SA

Any thoughts on what could be causing this?

johnlloyd_13 · ‎03-19-2013

Hi,

Did you configure correctly your dynamic routing protocol?

Please post from both Hub and Spoke 2:

show ip nhrp

debug tunnel

debug nhrp

Sent from Cisco Technical Support iPad App

XIE YAO · ‎03-20-2013

Just to make troubleshooting easier, you can first remove all IPSEC configuration and only focus on NHRP and dynamic routing.

If 2 sites are working fine, then you can isolate this to IPSEC, you can then share the IPSEC related configuration here.

arshdeepkaur03 · ‎03-08-2023

Did you got the answer for that what was the problem?

balaji.bandi · ‎03-09-2023

you need to give more information, that post was 10 years back..things are changed recently in many ways.

suggest opening a new post referring to this post and your config details? every problem is different, (may have the same symptoms of the issue. but most of the time not the same as the original post of this?)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help